Yesterday I was asked to add the following statement to a website:
Cookies are small text files which are placed on your computer and
remember your preferences/ some details of your visit.
I pushed it back to the editors saying that cookies are not files, but data stored into a file.
They said that the text was based on the BBC cookie's policy page. So I read other pages about it:
https://support.twitter.com/articles/20170514
Wiki says something different (which is what I thought was right):
http://en.wikipedia.org/wiki/HTTP_cookie
Anyone with enough knowledge about the subject to help?
Well, regardless of Twitter or BBC's cookie policy, let's look at Wikipedia's definition:
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website.
We may indeed just be arguing semantics here, but I think your version is more accurate than the editors' at least in terms of the abstraction being discussed. I'd slightly modify it:
Cookies are not files, but data. Data which may be stored in a file, but data nonetheless.
Now it's entirely possible that every web browser happens to store this data in files. I can't say that with any certainty, but it's possible. The browser isn't required to store it in a file, text or otherwise. It's just required to store the data.
Now, having said that, if this is the language that the customer wants to use on the customer's website, then it's their choice. You are fee to advise them (even, I'd argue, expected to advise them as a professional) but ultimately we're just talking about text copy on a webpage, which the customer defines.
To put it another way... Their policy may be inaccurately worded, but it's their policy. Changing policy is a business decision. From a business perspective it's likely more important that the company's website accurately reflect the company's policy than that it accurately reflect an industry technical definition.
Related
When you go to a website, if they are GDPR compliant they ask whether you consent to them tracking you. If as a user, I click "Deny", how does that website comply with that request? I as the user am not asked again, which to me indicates they have stored something somewhere, probably via a cookie.
Is this the correct way to obtain and work with GDPR? I would have thought by denying tracking, this would include any cookies.
GDPR legislation pertains primarily to Personally Identifiable Information (PII). Storing dissent in a cookie or localStorage doesn't violate that assuming there isn't anything that identifies the particular user, like trackingConsent=false.
Cookies are not only related to "tracking". They are mostly used to persist the state of the application, like session information or cookie acceptance. It is not gonna work otherwise, only option is to disable them on the browser level, but the legislator chosen to force page owner to do it.
You may provide the page that you are asking about. It quite probably stores your refusal in a cookie or some modern persistent storage. Personally I saw page that after refusal was simply asking again and again.
You may also check by yourself if there are some cookies stored. Depends on the browser, but quite probably f12 button and storage tab.
I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !
Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.
My question is: I'm developing a website and I want to monitor analytics with Google Analytics, however I've been reading articles about cookies and I didn't realize if I need to program my website with some kind of cookies in order to use google tool, or if I simply don't need to do anything on my website.
Thanks
To do tracking you simply need to insert the code snippet that you can get from the GA admin interface.
However since you are in the EU you need to point out to your visitors that they are being tracked on your web page and that the site uses cookies to do so (and I think you need to provide an opt-out, although that might be a German thing). This is mandated by the European Privacy directive, which is sometimes referred to as "Cookie Law" (technically incorrect, since it is neither a law nor specifically about cookies), so maybe this gave you the idea that you need to do extra programming.
We have been working on a gaming website. Recently while making note of the major traffic sources I noticed a website that I found to be a carbon-copy of our website. It uses our logo,everything same as ours but a different domain name. It cannot be, that domain name is pointing to our domain name. This is because at several places links are like ccwebsite/our-links. That website even has links to some images as ccwebsite/our-images.
What has happened ? How could have they done that ? What can I do to stop this ?
There are a number of things they might have done to copy your site, including but not limited to:
Using a tool to scrape a complete copy of your site and place it on their server
Use their DNS name to point to your site
Manually re-create your site as their own
Respond to requests to their site by scraping yours real-time and returning that as the response
etc.
What can I do to stop this?
Not a whole lot. You can try to prevent direct linking to your content by requiring referrer headers for your images and other resources so that requests need to come from pages you serve, but 1) those can be faked and 2) not all browsers will send those so you'd break a small percentage of legitimate users. This also won't stop anybody from copying content, just from "deep linking" to it.
Ultimately, by having a website you are exposing that information to the internet. On a technical level anybody can get that information. If some information should be private you can secure that information behind a login or other authorization measures. But if the information is publicly available then anybody can copy it.
"Stopping this" is more of a legal/jurisdictional/interpersonal concern than a technical one I'm afraid. And Stack Overflow isn't in a position to offer that sort of advice.
You could run your site with some lightweight authentication. Just issue a cookie passively when they pull a page, and require the cookie to get access to resources. If a user visits your site and then the parallel site, they'll still be able to get in, but if a user only knows about the parallel site and has never visited the real site, they will just see a crap ton of broken links and images. This could be enough to discourage your doppelganger from keeping his site up.
Another (similar but more complex) option is to implement a CSRF mitigation. Even though this isn't a CSRF situation, the same mitigation will work. Essentially you'd issue a cookie as described above, but in addition insert the cookie value in the URLs for everything and require them to match. This requires a bit more work (you'll need a filter or module inserted into the pipeline) but will keep out everybody except your own users.
I found that the cookie in browser is a random string which web server sends to each client for remembering users' information purpose. But I don't understand in programmers viewpoint, what does cookie use for?
For example, I've used EditThisCookie extension in Chrome Browser to read wikipedia.org site's cookie, in the following picture included here. The value of this cookie (sessionId) is useless for programmers (EDIT: I mean I don't extract any information from this cookie, I know the cookie is very important for web developers, so sorry about my poor expression). If I get this cookie, which kind of information I can understand about the users?
Looking for some help! Thank you very much!
The example about cookie
http://i102.photobucket.com/albums/m86/dienkun1/cookie_example_zps455f0dad.png
EDIT: Sorry, I've just expressed my problem in wrong way.
Actually, I am going to write an extension for collecting users' preferences via users' cookie, but I can't understand anything what information can be extracted from cookie. I've read about cookie in many documents, like wikipedia, and all of them just show how to get cookie, the definition of cookie, classified... and nothing about which information we can get from cookie.
Thank you very much!
Why do you say that the sessionId is useless for programmers? It actually can be extremely useful. Somewhere on Wikipedia's servers, they're probably storing quite a bit of information about your session. This could include things like whether you've already hidden one of their fundraising banners (so that it won't keep showing it to you again and again), to things that are required for basic functionality, such as what user you are currently logged in as.
However, Wikipedia is storing this same information for millions of sessions. It needs a way to tie the information back to each individual browser. That sessionId is how it does so. It set the sessionId in a cookie when you first accessed the page, and that cookie gets sent back to the server with every request you make to it now. Then they have code on the back end that reads that sessionId from the cookie and uses it to look up all of the information specific to your session, and do whatever needs to be done with it.
You could of course store the session information itself in the cookies, but there are a couple problems with that. First, there are limits on the size of each cookie, and on the overall size of all cookies for a single domain. Some of the data you want to store might not even fit. But the bigger problem is that cookies can be very easily manipulated by the end user. If you stored the information of who the user is logged in as in a cookie, the user could just change that value to something else, and suddenly be logged in as someone else! Of course, it's also possible that the user could change their sessionId to be some other user's session and suddenly be logged in as them. That's why session IDs need to be as random as possible, and should be long enough that guessing someone else's is basically impossible.
Well, why would someone bother writing a sessionId to a cookie if it's useless?
Cookies are extremely useful when it comes to (e.g) identifying users on your site so you can have them logged in right away, count their visits, track them on your site and even beyond.. only to name a few use cases.
To cite a somewhat popular site (wikipedia.org):
Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited by the user as far back as months or years ago).
The most important word here is "stateful".